Performance-driven Development of Deep Packet Inspection Systems on Commodity Platforms
Abstract
Deep Packet Inspection (DPI) systems have been increasingly performed on dedicated hardware, as an attempt to speed up the packet processing for high speed links. This is mainly caused by the current demand for CPU-intensive processing required by regular expression functions, which investigate the packet payload trying to match patterns of application signatures. This study proposes and evaluates techniques to optimize DPI systems using commodity hardware. At first, it is designed a new optimized software architecture. In the following, this architecture is implemented into a DPI software and those optimization techniques are then integrated. Our results show that the time spent with regular expression matching was actually improved, besides the packet loss rate when realizing online measurements meanwhile. The evaluation results state that the performance of a typical DPI process on a Linux box can be improved in almost 100%, and the amount of classified traffic may be increased 220%.References
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., and Salamatian, K. 2006. “Traffic classification on the fly,” In: SIGCOMM Comput. Commun. Rev. 36, 2 (Apr. 2006), 23-26.
Deri, L., “Improving Passive Packet Capture: Beyond Device Polling,” In: Proceedings of SANE 2004, 2004.
Deri, L., “nCap: wire-speed packet capture and transmission,” In: Proceedings of the End-to-End Monitoring Techniques and Services. Workshop, p.47-55, May 15-April 30, 2005.
Fernandes, S., Antonello, R., Lacerda, T., Santos, A., Westholm, T. and Sadok, D., “Performance Optimization for Deep Packet Inspection Systems,” In: Proceedings of the 12th IEEE Global Internet Symposium 2009.
Karagiannis, T., Broido, A., Brownlee, N., claffy, kc, and Faloutsos, M., “Is P2P dying or just hiding?,” In: IEEE Globecom 2004 - Global Internet and Next Generation Networks, 2004.
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., and Turner, J. 2006. “Algorithms to accelerate multiple regular expressions matching for deep packet inspection,” In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols For Computer Communications (Pisa, Italy, September 11 - 15, 2006). SIGCOMM '06. ACM, New York, NY, 339-350.
Po-Ching Lin, Ying-Dar Lin, Yuan-Cheng Lai, Tsern-Huei Lee, "Using String Matching for Deep Packet Inspection," In: Computer, vol. 41, no. 4, pp. 23-28, Apr., 2008.
Sen, S., Spatscheck, O. and Wang, D. “Accurate, scalable in-network identification of p2p traffic using application signatures,” In: Proceedings of the 13th international Conference on World Wide Web. WWW '04. ACM, New York, NY, 512-521.
Smith, R., Estan, C., Jha, S., and Kong, S. “Deflating the big bang: fast and scalable deep packet inspection with extended finite automata,” In: SIGCOMM Comput. Commun. Rev. 38, 4 (Oct. 2008), 207-218.
Yu, F., Chen, Z., Diao, Y., Lakshman, T. V. and Katz, R. H., “Fast and memory-efficient regular expression matching for deep packet inspection,” In: Proceedings of the 2006 ACM/IEEE Symposium on Architecture for Networking and Communications Systems. ANCS '06. ACM, New York, NY, 93-102, 2006.
Deri, L., “Improving Passive Packet Capture: Beyond Device Polling,” In: Proceedings of SANE 2004, 2004.
Deri, L., “nCap: wire-speed packet capture and transmission,” In: Proceedings of the End-to-End Monitoring Techniques and Services. Workshop, p.47-55, May 15-April 30, 2005.
Fernandes, S., Antonello, R., Lacerda, T., Santos, A., Westholm, T. and Sadok, D., “Performance Optimization for Deep Packet Inspection Systems,” In: Proceedings of the 12th IEEE Global Internet Symposium 2009.
Karagiannis, T., Broido, A., Brownlee, N., claffy, kc, and Faloutsos, M., “Is P2P dying or just hiding?,” In: IEEE Globecom 2004 - Global Internet and Next Generation Networks, 2004.
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., and Turner, J. 2006. “Algorithms to accelerate multiple regular expressions matching for deep packet inspection,” In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols For Computer Communications (Pisa, Italy, September 11 - 15, 2006). SIGCOMM '06. ACM, New York, NY, 339-350.
Po-Ching Lin, Ying-Dar Lin, Yuan-Cheng Lai, Tsern-Huei Lee, "Using String Matching for Deep Packet Inspection," In: Computer, vol. 41, no. 4, pp. 23-28, Apr., 2008.
Sen, S., Spatscheck, O. and Wang, D. “Accurate, scalable in-network identification of p2p traffic using application signatures,” In: Proceedings of the 13th international Conference on World Wide Web. WWW '04. ACM, New York, NY, 512-521.
Smith, R., Estan, C., Jha, S., and Kong, S. “Deflating the big bang: fast and scalable deep packet inspection with extended finite automata,” In: SIGCOMM Comput. Commun. Rev. 38, 4 (Oct. 2008), 207-218.
Yu, F., Chen, Z., Diao, Y., Lakshman, T. V. and Katz, R. H., “Fast and memory-efficient regular expression matching for deep packet inspection,” In: Proceedings of the 2006 ACM/IEEE Symposium on Architecture for Networking and Communications Systems. ANCS '06. ACM, New York, NY, 93-102, 2006.
Published
2009-07-20
How to Cite
LACERDA, Thiago; FERNANDES, Stênio; OLIVEIRA, Ana Cristina; SADOK, Djamel; KELNER, Judith.
Performance-driven Development of Deep Packet Inspection Systems on Commodity Platforms. In: WORKSHOP ON PERFORMANCE OF COMPUTER AND COMMUNICATION SYSTEMS (WPERFORMANCE), 8. , 2009, Bento Gonçalves/RS.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2009
.
p. 2145-2160.
ISSN 2595-6167.
